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Abstract 

Recently, Yang and Tan proposed a certificateless key exchange protocol without pairing, 
and claimed their scheme satisfies forward secrecy, which means no adversary could derive an 
already-established session key unless the full user secret keys (including a private key and an 
ephemeral secret key) of both communication parties are compromised. However, in this paper, 
we point out their protocol is actually not secure as claimed by presenting an attack launched by 
an adversary who has learned the private key of one party and the ephemeral secret key of the 
other, but not the full user secret keys of both parties. Furthermore, to make up this flaw, we also 
provide an improved protocol in which the private key and the ephemeral secret key are closely 
intertwined with each other for generating the session key, thus above attack can be efficiently 
resisted. 
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1. Introduction 

In traditional public key cryptography (PKC), a trust certification authority (CA) signs a digital 
certificate of a user, and the public key infrastructure (PKI) manages the certificate to provide the 
authenticity of public keys. However, certificate management, including distribution, revocation, 
storage and validation cost, should face many challenges in practice [1]. To resolve the problem 
of certificate management, identity-based public key cryptography (ID-PKC) was proposed by 
Shamir [2] in 1984. Its basic idea is that the users can choose arbitrary strings, such as their email 
addresses or other online identifies, as their public keys, and the corresponding private keys are 
created by binding the identities with a master key of a trusted private key generator (PKG). In 
this case, there is no need for certification, but a new question came out. KGC is needed to make 
the private key for every user according to his identity, which means it can get all the users' secret 
keys. Thus, ID-PKC has to confront so-called key escrow problem. In order to eliminate the 
drawbacks of both ID-PKC and PKI, a new paradigm of certificateless public key cryptography 
(CL-PKC) was provided by Al-Riyami and Paterson [3] in 2003. The basic idea of CL-PKC 
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is the construct of private key which is combining a partial private key generated by the KGC 
with some secret value chosen by himself. Obviously, the CL-PKC is more interesting as which 
received both benefits of the ID-PKC and traditional PKI. Thus, CL-PKC is often considered as 
a cross between PKI and ID-PKC. 

Key exchange (KE) protocols are mechanisms which establish a shared key by two or more 
parities communicating over an insecure network. However, compared with the certificateless 
encryption and signature [4-13], the study of key exchange protocol based on CL-PKC is seldom 
discussed. Al-Riyam and Paterson [3] proposed the first certificateless key exchange protocol 
which had no formal security model and proof. Later, some certificateless key exchange (CL- 
KE) protocols [1,14,15] were proposed with heuristic key security analysis. Then, Swanson 
[16] gave the general security analysis to the proposed certificateless key exchange protocols. 
However, all of certificateless key exchange protocols above are based on the bilinear pairings. 
Compared with the exponentiations, the computation of pairing is extremely expensive, so the 
certificateless key exchange protocol without pairing based on the CL-PKC were proposed by 
Geng and Hou [17,18]. Unfortunately, none of these protocols is secure [19]. Recently, Yang 
and Tan [20] proposed a new CL-KE protocol without pairing and claimed that their scheme is 
strongly secure to their security model. 

In this paper, we point out that Yang and Tan's protocol is actually not secure as claimed by 
presenting an attack launched by an adversary who has learned the private key of one party and 
the ephemeral secret key of the other, but not the full user secret keys of both parties. That 
is, the adversary can make a RevealEphemeralKey(A,i) query to learn the ephemeral secret key 
eA of one communication party A and make a RevealSecretValue(B) query to learn the private 
key S b of the corresponding party B, and successfully calculates the session key, which means 
that the forward secrecy is not satisfied. Furthermore, to make up this flaw, we also provide an 
improved protocol in which the private key and the ephemeral secret key are closely intertwined 
with each other for generating the session key. In other words, we add zs = g^ eil+ZB ^ eA+SA+z ^ and 
z Q = a+zaXS B+es) m j- the generated session key, such that any adversary can calculate neither 
Za nor Z9 even if he knows the values of e& and S b- Thus, the session key can not be computed 
and the protocol what we improved can effective avoid the attacks mentioned above. 

The rest of this paper is organized as follows: In section 2, we list the certificateless key 
exchange protocol and its security model. In section 3, we review Yang and Tan's strongly 
secure certificateless key exchange protocol without pairing. In section 4, we give our attacks 
on Yang and Tan's scheme as well as a possible improvement . We give some further security 
discussions in section 5. Finally, we conclude the paper in section 6. 

2. Certificateless key exchange and its security model 

2.1. Certificateless key exchange 

A CL-KE protocol is specified by the following probabilistic polynomial time algorithms: 

Setup (\ k ). This algorithm takes a security parameter k as input and returns the master secret 
key msk and the master public key mpk. 

ExtractldBasedKeyCmsA:, ID). This algorithm takes master key msk and a user's identity ID 
as input, and returns a partial private key Dm corresponding to the user. 

SetSecretValue(mp&:, ID). This algorithm takes the master public key mpk and a user's iden- 
tity ID as input, and returns secret value S id corresponding to the user. 
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SetPublicKey(m/?A:, Did, S id)- This algorithm takes the master public key mpk, a user's the 
secret values S id as input, and returns a public key pkjD corresponding to the user. 

SetPrivateKey(m/?A:, Did, S id)- This algorithm takes a master public key mpk, a user's partial 
private key Did and a secret value S id as input, and returns a full private key sIcid corresponding 
to the user. 

2.2. Adversarial model 

In CL-KE protocol as defined in [1], the adversarial model is defined via a game between an 
adversary J{ and a game simulator S. At first, S runs the setup algorithm to generate {mpk, msk) 
and returns mpk to M. Then J[ can deliver, drop, modify or inject messages for he can control 
all the network. Furthermore, y\ may ask a polynomial number of the following queries: 

CreateUser (ID). By this query, the adversary J[ sets up a new user with identity ID. Upon 
receiving such a query, S generates Did, S id, pkw and sIcid, returns pkio to SR. 

Send(f/, i,m). By this query, the adversary J[ input the message m to instance Yl'u- Yl'u 
executes protocol and returns the output message M out to M. 

RevealMasterKey(£/). This query allows Ji to obtain the msk. 

RevealIDBasedKey(t/). This query allows Jl to learn the D v . 

RevealSecretValue(t/). This query allows tfi to obtain the S u- 

RevealSecretKey(C/). This query allows S\ to learn the skjj. 

RevealEphemeralKey(C/, i). This query allows 3\ to obtain the ephemeral secret key gener- 
ated by Yl'u- 

RevealSessionKey( U, i). This query allows 3\ to learn the session key ssk'y if Yl'u accepted; 
otherwise, _L is returned. 

ReplacePublicKey(t/, (pku)'). This query allows to replace U's public key with pku = 
(pku)' . After this query, S will use the new key pair as U's public \ private key pair. 

Test(£/*, /*). This query allows 3\. to select a challenge instance Yl'u tnat nas acce pted. Upon 
receiving this query, a random coin b is flipped by S . If the coin b = 1, then S return ssk'y, to 
J{. Otherwise, a random session key is drawn from the session key space and returned to the 
adversary. This query is only made once by S\ during the game, and YXu> must have accepted 
the conversation, and is fresh (defined blow). 

At the end of the game, the adversary J{ outputs a bit b' as her guess for b. The advantage of 
J\ winning the game is defined as Adv c ^ e {k) = 2Pr[b' = b] — 1. 

As an instance Yl'u uses both long-term key pair {{IDu, pku), sky) and ephemeral key pair 
(epku, esku), once both the sky and eskjj are exposed, the adversary can trivially compute the 
session key ssk' v . The instance Yl'u i s sare if none of the conditions is true: 

(1) The adversary makes a RevealSessionKey(C/, i) query. 

(2) The adversary makes both RevealSecretKey(t/) and RevealEphemeralKey([/, i) queries. 

(3) The adversary makes RevealMasterKey query or RevealIDBasedKey(f/) query, and also 
makes both RevealSecretValue(C/) query and RevealEphemeralKey([/, i) queries. 
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(4) n't/ uses a public I private key pair which is different from its original key pair, and the 
adversary makes RevealMasterKey query or RevealIDBasedKey(t/) query, and also makes a 
RevealEphemeralKey(t/, i) query. 

Definitionl. Session Freshness 

Let W'u denote an instance with acc' v = ture and pid l v = V. If any of the following conditions 
is true, the Yl'u i s urffresh. 

(1) Yl'u i s exposed. 

(2) Yl'u has a partner instance Yll, and Yll is exposed. 

(3) If the Yl'u has no partner instance, and either of the following cases happens: 

(a) the adversary makes RevealMasterKey query or ReveallDBasedKey(V) query, and 
makes a RevealSecretValue(V) query; 

(b) the adversary makes a Reveal SecretKey (V) query; 

(c) the adversary makes RevealMasterKey query or ReveallDBasedKey(V) query, and 
makes a ReplacePK(V, U, i) query\request. 

Deflnition2. A CL-KE protocol is said to be secure if 

(1) in the presence of a benign adversary who only faithfully conveys messages, then two 
instances output the same session key; 

(2) for any PPT adversary, Adv c ^ e {k) is negligible. 

Deflnition3. Forward Secrecy 

Forward secrecy means that learning the full user secret key should not allow an adversary to 
derive an already-established session key. 



3. Review of Yang and Tan's CL-KE proocol 

Yang and Tan's certificateless key exchange protocol without pairing [20] consists of six algo- 
rithms: Setup, ExtractldBasedKey, SetSecretValue, SetPublicKey, SetPrivateKey and Key 
Exchange, which is described as follows: 

Let DS = {KG, S ig, Ver} denote a digital signature scheme that is unforgeable under adaptive 
chosen-message attack [21]. 

Setup (1*) . KGC chooses a cyclic group G of prime order q, and picks a random number x e 
Z q , and geG\|l], and computes g x — y . Then, KGC runs the key generation algorithm of DS 
to generate a signature/verfication key pairing (sk, vk). At last, KGC sets msk = (x, sk), mpk = 

(y,vk). 

ExtractIdBasedKey(msA;, ID) . Given an identity ID, KGC picks a random number a e Z q , 
computes R ID = g",zm - a + H\(ID\\Rj D )x mod q, generates a signature 5m = S ig(sk,ID\\R ID ) 
and sets D ID = (R ID , 5 w ,zid)- 

SetSecretValue(m/?/:, ID) . The user with identity ID randomly selects t e Z q , and sets S id = 

t. 

SetPublicKey (mpk, Did, S id) ■ Given the user's secret value S id), and ID-Based Key Did, 
the user computes Uid = g s,D , and sets pk m = (Urn, Rid, Sid)- 
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SetPrivateKey(m/?fc, Did, S id) ■ Given the user's public key mpk, secret value S id) and ID- 
Based Key Did, the user sets skiD = {Did, S id)- 

Key Exchange . To establish a session key, party A and party B exchange the following 
messages. 

A^B:ID A ,pk A ,E A = g eA ; 

B^A:ID B ,pk B ,E B =g e \ 

where e A &Z q ,e B eZ, are randomly selected by A and B respectively. 
The computation of the session key between A and B is as follows: 
Party A: compute 

Zi = E B A , Z 2 = U S B A , Z 3 = (R B mpk Hl(,DMRB) ) z \ Z 4 = U e B A , 
Z 5 = E S B \ Z 6 = {E B R B mpk Hi(JDM ) eA+ZA , 
Z 7 = (U B R B mpk Hl(IDMRll) ) s * +z \ 
and output the session key as 

ssk = H2(sid,Z\,Z2,Zi,Z4,Z5,Z6,Zi), 

where sid = ID A , ID B , pk A , E A ,pk B , E B . 
Party B: compute 

Zi = E e A B , Z 2 = U S A B , Zi = (R A mpk HiaDAllHA) ) z », Z 4 = U e A ", 
Z 5 = E s /, Z 6 = (E A R A mpk H ' {,D ^ ) y +ZB , 
Z 7 = (U A R A mpk HlUDAmA) ) SB+ZB . 
and output the session key as 

ssk — H2(sid,Zi,Z2,Zi,Z4,Zs,Z^,Z-j), 
where sid = ID A ,ID B , pk A ,E A ,pk B ,E B . 



4. Analysis and improvement of Yang and Tan's protocol 

Yang and Tan [20] claimed that their protocol is provably secure in the random oracle model, 
including the forward secrecy. That is, if an attacker does not know all of (D A , S A , esk A ), or all 
of (D B , S B , esk B ), it is unable for the attacker to derive the session key. However, in this section, 
we disprove their result by giving concrete attacks, and propose an improved scheme to prevent 
these attacks. 



5 



4.1. Attack 



For this protocol, to derive a session key, an adversary can first make two RevealExtractlD- 
BasedKey queries to learn za and Zb, then make a RevealSecretValue(B) query to learn S b and 
make a RevealEphemeralKey(A, i) query to learn e^. Obviously, the adversary learns neither S a 
nor es, which satisfy the requirements and Yang and Tan's security model. However, the adver- 
sary can also compute the session key. To attack this protocol, the adversary might perform the 
following steps. 

First, the adversary can compute as follows 

Z 3 = (R B mpk H < (IDMR '> ) y\ 

Z 4 = u e B \ 

Z 6 = (EBR B mpk H ' (IDMRll) y A+ZA . 

As the adversary can not make a RevealSecretValue(A) query, he can not obtain the value of 
Sa, then should not compute the Zn, Z5 and Z7. 

However, as to party B, the adversary does not obtain the value of e^, but learns S b and zb, 
and can compute 

Z 2 = U S A ", 

Z 5 = E s /, 

Z 7 = (U A RAmpk H,( - IDA " RA) ) SB+z <<. 

It is easy to see that adversary can really derive the session key as 

ssk — H2(sid,Zi,Z2,Zj,,Z4,Z^,Z^,Zj), 
where sid = IDa, IDb, pkA, Ea, pks, Eb- 

The adversary can successfully calculate the session key associated with the calculation be- 
tween part A and party B, which is completely independent and symmetrical. 

4.2. Our improved scheme 

From the analysis in the previous section, we can see that the insecurity of Yang and Tan's 
protocol is due to the independent of the ephemeral key e&, ?b and the ID-based key za, Zb , the 
eA,es and za,Zb are not fully intertwined enough. In the following, we do a slight modification 
on Yang and Tan's protocol, and show a new CL-KE protocol without pairing which can resist 
the attack mentioned above. Our improvement is as follows. 

Setup, ExtractldBasedKey, SetSecret Value, SetPublicKey and SetPrivateKey are the same 
as those in section 3. 

Key Exchange 

To establish a session key, party A and party B exchange the following messages. 

A^B:ID A ,pk A ,E A =8 eA ; 

B -> A:ID B ,pk B ,E B = g e ", 
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where e A e Z q , e B e Z q are randomly selected by A and B respectively. 
The computation of the session key between A and B is as follows: 
Party A: compute 

Zj = E%, Z 2 = U S B \ Z 3 = {R B mpk H ^ D ^ RB) y\ Z 4 = U e B \ 

Z 5 = Z 6 = (E B R B mpk Hl(,DMRB) y* +z \ 

Z 7 = (U B R B mpk H ' {IDMRB) ) s * +z \ 

Z 8 = (E B R B mpk Hi{ ' D ^ RB) ) s ^ +e \Zg = {U B E B ) s * +e «. 
and output the session key as 

ssA: = H2(sid,Zi,Z2,Z-i,Z4,Z5,Z(,,Z-j,Z^,Zg), 

where s/c/ = /D^, 7D B , pk A , E A ,pk B , E B . 
Party B: compute 

Z x = E e A B , Z 2 = U S A B , Z 3 = (R A mpk H ^ ID ^ RA) ) ZB , Z 4 = U e A B , 

Z 5 = E S A ", Z 6 = {E A R A mpk H>{IDMRA) y +ZB , 

Z 7 = (U A R A mpk HlVDA ^ A) ) Sl > +ZB , 

Z 8 = (E A U A R A mpk H > (ID ^ R * ) y +Zl > , Z 9 = (U a E a ) Sb+c ' b . 

and output the session key as 

ssA: = H2(sid,Zi,Z2,Zi,Z4,Z5,Z(,,Z-i,Z$,Zg), 
where s;<i = ID A ,ID B ,pk A ,E A ,pk B ,E B . 

5. Security discussion 

In this section, we will analyze the security of the improved protocol, and show that it can 
work correctly. Since our protocol is derived from Yang and Tan's protocol but made appropriate 
modification, it can achieve forward secrecy. Through analysis of the protocol, we show that the 
protocol can withstand some known attacks, for example, public key replacement attack. 

1) known- key secrecy 

Even if the session key is compromised, the adversary does not compromise past or future 
sessions, as short-term keys are used in generating session keys. Even the two participants of the 
protocol remain the same, it also generate different session keys. 

2) Forward secrecy 

Even if the long-term private key is compromised, the adversary does not reveal previously 
established session keys. Even the adversary obtain the value of e A and S B , he can calculate 
neither of zs and Z9, that is, he can not compute the session key, so this protocol can achieve the 
perfect forward secrecy. 

3) PKG forward secrecy 

The big advantage of the CL-PKC is no-escrow. Even the PKG's master private key is compro- 
mised, the adversary (including the PKG) can not reveal previously established session keys. The 
adversary may generate partial private key, however, in order to compute the established key, the 
adversary should also obtain both the value of a short-term private key and the full (long-term) 
private key. 
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4) unknown key-share resilience 

The aim of this attack is to make one participant believe a key which is shared with another 
participant, and force the two participants to share the same secret. However, the two participants 
can never share the same key, for they should use the identifier of the intended peer when they 
compute the session key. 

5) key-compromise impersonation 

Key-compromise impersonation has no work in our proposed protocol. Arming with the pri- 
vate key of A, an adversary can impersonate B to A, however, he can not compute the value of 
n without knowing the private key of B. 

6) known session-specific information security 

If the short-term private is compromised, it also does not reveal the established key. Specifi- 
cally, even an adversary obtains the values of za and zb in any session between A and B, he can 
not compute zi, Z%. 

6. Conclusion 

In this paper, by giving a concrete attack, we have indicated that Yang and Tan's CL-KE 
protocol without pairing is not secure under their security model. We have also presented an 
improvement to prevent the attack and given some further security discussions. 
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